Deploying a Cisco Mobility Express network

My wireless network has been based on a WLC2504 controller with two 2602 AP’s. The network has been running quite well, with of course the caveats that came with the different WLC releases. With the maturity of Mobility Express (ME), the need for a dedicated controller for such as small sized wireless network has basically become obsolete as one of the AP’s becomes the master controller in the network. I was able to acquire 2 1852 AP’s with ME, time to upgrade my wireless network to 802.11ac with ME.

Design considerations

Joep Remkes, a Cisco Systems Engineer, was kind enough to share the Cisco Mobility Express Quick Start Guide and explained to me what Mobility Express actually is. And the latter is actually key for the understanding. Because, in effect, a mini Wireless Lan Controller (mini WLC) is running as a virtual machine inside the AP code. And as it is a separate machine, it has a separate IP address and you manage it separately. And that is something you really need to keep in mind when deploying mobility express. Another thing that you need to be aware off is that FlexConnect is used for breakout, so yes, there is a CAPWAP tunnel, but not for client traffic. The figure below displays functionally how mobility express is essentially organised.

So in a mobility expres deployment, there is a master election (e.g. which AP in your network becomes your controller and manages the configuratoin). The diagram below describes the flow that an AP goes through when booting up.

Setting up a fresh ME deployment

Setting up a ME based deployment is really easy. Of course the Cisco guide is more extensively written, but for my deployment, I executed the following steps Create VLAN and DHCP scope As I run an external DHCP server (my IOS switch) and within a ME setup, you cannot use both external and internal DHCP server, I created a new AP-VLAN (221) and configured the DHCP scope on my core swiitch. There are no special DHCP options required for the discovery of the master AP on your network. 

na-vur-c3560-1#config term
na-vur-c3560-1(config-vlan)#vlan 221
na-vur-c3560-1(config)#name ap-net
na-vur-c3560-1(config)#ip dhcp excluded-address
na-vur-c3560-1(config)#ip dhcp excluded-address
na-vur-c3560-1(config)#ip dhcp pool wireless-ap

Configure interface for your master AP Once the VLAN and DHCP is configured, configure the switch with an SVI (layer 3 interface) and configure an interface where the AP will be connected on

na-vur-c3560-1(config)#interface vlan221
na-vur-c3560-1(config-if)#name ap-net
na-vur-c3560-1(config-if)#ip add
na-vur-c3560-1(config-if)#no shut
na-vur-c3560-1(config-if)#interface GigabitEthernet0/3
na-vur-c3560-1(config-if)#description ge0-0-1852-master
na-vur-c3560-1(config-if)#switchport trunk encapsulation dot1q
na-vur-c3560-1(config-if)#switchport mode trunk
na-vur-c3560-1(config-if)#switchport trunk native vlan 221

If you use vlan’s, you have to use the native vlan for that network, so that the master AP gets an IP address in the proper network. I’ve added the configuation spanning-tree portfast trunk as STP blocking can have some delay for client onboarding. Bootup the master AP Now plugin the master AP and wait until the AP is booting. The AP master selection proces will be executed. Wait until you see the SSID “CiscoAirProvision” The SSID “CiscoAirProvision” is used by Cisco for over the air configuration. Use password “password” to connect to the network. You will get an internal ip-adress.Connect to SSID “CiscoAirProvission” and configure

Once you’re connected, start a browser and go to the site or easier, Run through the steps of the wizard (see screenshots below) and apply the values that are appropriate to your environment

Apply settings and test with the Master AP

Now apply the settings, wait until the AP is rebooted and connect to your network. Once connected, use your browser to check that you can connect to the IP address of the master AP controller. As you’ll see, the GUI is similar to the new WLC 8.2+ frontpage and is very recognisable.

Now configure other AP’s and switch interfaces Once the Master AP works, configure other PoE enabled ports on your switch for the other AP’s, plug them in and wait. After some time, the AP’s will join the master AP and your wireless network is setup! For this, I’ve used the same interface config as the master AP, except for the description.

Upgrading of a ME deployment is slightly different than your controller based deployment, that will be another blog post (soon)

Share this

10 Responses

  1. Hello Pieter-Jan,

    My name is David and I also live in the Netherlands :). Great to see your post about Cisco ME.

    I am setting up a home lab just to experience Cisco ME, I have these 2 APs:
    One AIR-AP1815i-E-K9 (AP Running Image:, runing as the WLC, it is working. It was configured by the CLI Initial Configuration Wizard. I can log into its web GUI, its SSID “employee” is working. With controller IP address
    One AIR-CAP2602I-E-K9 [Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Experimental Version 15.3(20150924:055549)], with AP IP address
    The problem is that the 2602I failed to join the 1815i WLC

    This is the logging from the 1815i WLC side:
    *spamApTask0: Nov 20 16:32:52.535: %CAPWAP-3-JOIN_UNSUPP_AP: capwap_ac_sm.c:5165 The system has received a join request from an unsupported AP 5c:a4:8a:1e:c2:60 AP78da.6e8e.1259 (model AIR-CAP2602I-E-K), dropping the packet
    *spamApTask0: Nov 20 16:32:52.204: %CAPWAP-3-DTLS_CLOSED_ERR: capwap_ac_sm.c:7238 5c:a4:8a:1e:c2:60: DTLS connection closed forAP 192:168:128:13 (57639), Controller: 192:168:128:100 (5246) Join Request Process Failed

    This is the logging from the 2602I side:
    Translating “CISCO-CAPWAP-CONTROLLER”…domain server (
    *Nov 16 16:33:39.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246
    *Nov 16 16:33:40.323: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: peer_port: 5246
    *Nov 16 16:33:40.323: %CAPWAP-5-SENDJOIN: sending Join Request to
    *Nov 16 16:33:40.327: %DTLS-5-ALERT: Received WARNING : Close notify alert from
    *Nov 16 16:33:40.327: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to

    I see you are also using 2602 APs with ME controller. My question is what did you do to enable the 2602 APs to join the ME controller? Are certain specific IOS releases are required on the 2602 APs (it seems the IOS release I have on my 2602 doesn’t support joining a ME controller)?

    Thank you for your attention on this matter. Your reply would be greatly appreciated!

    Kind regards,

    1. Hello David,

      You are running ME 8.8 code on the controller. This code does not support the 2602 AP’s. Starting with 8.7 and higher only 802.11AC Wave1 AP’s (x700 serie) are supported. I’m running ME off two 1852 AP’s. If you want to run the ME code with 2602’s as well, you need to have 8.5 code on your ME controller. You can check this out yourself at the wireless compatibility matrix at

  2. Hi Pieter-Jan,
    Thank you for your quick reply and the Cisco wireless compatibility matrix link.
    They are very helpful!
    Kind regards,

  3. Hi Pieter,

    Can you explain the section IP AP vs controller IP. In your post, we can configure the controller IP through web wizard (by connecting to So, how can I configure the AP IP, is the IP for service clients like normal AP?.

    1. Hello Mark,

      The common deployment is to use DHCP for the AP IP address assignment. So every AP in your ME deployment is in the same subnet and gets the IP address from the dhcp server. IP Broadcasts are used to discover the controller, which is essentially a seperate vm on an AP.

      Does this make it a bit more clear?

      1. Dear Pieter-Jan,

        I have a question about IP address of master AP.

        1) For example, if master AP (with controller IP A.A.A.A) is down, so the new elected master AP (which have IP B.B.B.B when it is slave AP) get the A.A.A.A, right?.

        2) When the old Master IP come back online. Is it a Slave or Master?. If it is a Slave (what IP it has, does it get new IP from DHCP ?). In case I want to it has a static IP (when it come back), how do I configure?

        1. Hello Mark,

          On 1), the AP that fullfills the controller role has two IP addresses, one for the AP code and one for the controller. If that AP fails, after election the new AP with the controller role will have two IP addresses, one for its own AP (remains the same) and the IP address for the controller. So effectively, the IP address for the controller code is moving with the controller role to the new AP.

          2) When the old AP comes back, it will detect that there is already an AP with the controller role, so it will just join that controller. You can manually flip it to the original AP though.

          In summary:
          You configure a static IP address for the controller role for configuration and the AP’s will get a dynamic IP address from DHCP and use the IP broadcast to discover the controller role. That static IP moves with the controller code to whatever AP within the Mobility Express network is currently the master.


          1. Hi Pieter-Jan,

            Thanks much, now I understand about controller role IP address and AP IP address.

            But, I want to know that can I assign AP IP address statically to AP (by CLI) not by DHCP.

          2. Yes, you can assign each AP an individual IP address, just as you can do with the other controller-based deployments. But it is not really recommended because of manageability.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.